Confidentiality and Disclosure of Information:

General Medical Services (GMS) and Alternative Provider

Medical Services (APMS) Code of Practice (Wales)

13 October 2005

CONFIDENTIALITY AND DISCLOSURE OF INFORMATION:

GMS AND APMS CODE OF PRACTICE

Introduction

1. This Code of Practice sets out guidance on the confidentiality of information held by

contractors - referred to collectively in this document as “contractors” – who provide

General Medical Services (GMS) and Alternative Provider Medical Services (APMS).

Similarly where the term “contract” or “contracts” is used in this document it refers to

the contracts entered into by those who provide GMS and APMS (unless there is a

specific reference to the contrary). It also sets out guidance on the provision of

contractor-held information to Local Health Boards (LHBs), and access by, and

disclosure of, that information to LHBs or a person authorised in writing by LHBs.

2. This Code has been developed by the Welsh Assembly Government in consultation

with the General Practitioners Committee (Wales) (GPC(W)) of the British Medical

Association, and other key stakeholders, including representatives from patient bodies.

It makes explicit existing legal and ethical obligations of confidentiality, placing them

in the context of new primary care contractual arrangements. It does not cover in detail

all circumstances in which contractor-held information may be requested, but sets out

principles of good practice for contractors of primary medical services and Local

Health Boards (LHBs) who commission services from them. It also describes

circumstances in which the Welsh Assembly Government (WAG) may request access

to certain contractor-held information. LHBs are required by Directions to comply

with the provisions of this Code when exercising certain functionsa. LHBs should

normally seek actively to involve and engage Local Medical Committees in relation to

the Code where there are any potential issues of contention or where contractors may

require additional support.

3. Local Health Board Medical Services (LHBMS) are not covered by the Directions to

LHBs since the arrangements for providing LHBMS differ in certain respects from the

other primary care contractual arrangements. However, LHBs providing LHBMS are

a The Confidentiality and Disclosure of Information – General Medical Services and Alternative ProviderMedical Services (Wales) Directions 2005 dated (Complete date) 2005

expected to follow the principles in this Code, when appropriate, performance

managed by Welsh Assembly Government on this basis.

Legal Context

4. The NHS (General Medical Services Contracts) (Wales) Regulations 2004b, and the

APMS Directionsc (referred to collectively in this document as “the regulations”)

include provisions relating to patient records, the confidentiality of personal data,

rights of access to, and the provision of patient and practice information held by

contractors. In particular, the regulations provide that GMS contracts and APMS

contracts must contain a term requiring contractors, at the LHB’s written request, to

produce to the LHB, or a person authorised in writing by the LHB; or allow access by

the LHB, or a person authorised in writing by the LHB, to:-

(i) information which is reasonably required by the LHB for the purposes of, or in

connection with the GMS Contract or APMS contract; and

(ii) any other information which is reasonably required in connection with the

LHB’s functionsd.

Such requests are required to be made by LHBs in accordance with the Directions.

5. This Code does not detail each specific provision within the regulations that deal with

obligations on a contractor to provide specific information or reports to LHBs or other

bodies, for example:-

(i) the requirement to send clinical reports to the LHB where services are

provided to non-registered patients (see, for example, Schedule 6 paragraph 7

of the GMS Contracts Wales Regulations);

(ii) notifications of deaths (see, for example Schedule 6 paragraph 85 of the GMS

Contracts Wales Regulations).

b S.I. 2004/478c The Alternative Provider Medical Services Directions 2004 dated 22 November 2004.d See paragraph 76 of Schedule 6 to the NHS(GMS Contracts) Wales Regulations.

Scope of the Code

6. This Code applies to contractors and to LHBs, to all the staff employed by the practice

and LHBs for the purposes of the contract, and individuals involved in work under the

contract who are otherwise associated with the practice (for example locum GPs). It

covers LHB access to, or requests for disclosure of, contractor held information. This

includes information to support payments under the Quality and Outcomes Framework

(QOF) in relation to GMSe.

7. Four categories of information are covered in this Code:-

(i) anonymised or aggregated patient information;

(ii) confidential patient information;

(iii) practice-level information;

(iv) information about individual staff employed by the practice for the purposes of

the contract, and individuals involved in work under the contract who are

otherwise associated with the practice (eg locum GPs).

8. In dealing with disclosure of information, contractors, LHBs and the other bodies

referred to in this document should have regard to other publications issued to support

implementation of the GMS Contract, and APMS, and to:-

(i) the NHS Wales Confidentiality site on HOWIS

(http://howis.wales.nhs.uk/microsite/page.cfm?OrgID=305&PID=568)

(ii) Guidance Notes on Section 60 of the Health and Social Care Act 2001, for

those wishing to use patient identifiable information for an acceptable purpose

as defined by the Actf (www.dh.gov.uk./PublicationsandStatistics)

e Detailed guidelines on the operation of the QOF are set out in eg Delivering Investment in General Practice:HOWIS (Intranet) - http://howis.wales.nhs.uk/microsite/documents/480/chapter1%2De%2Epdf or HOWISInternet) - http://www.wales.nhs.uk/sites/documents/480/chapter1%2De%2EpdfAnnual QOF Review Process Guidance:HOWIS (Intranet) - http://howis.wales.nhs.uk/microsite/documents/480/AnnualReviewVisitsGuidance%2Epdfor HOWIS (Internet) - http://www.wales.nhs.uk/sites/documents/480/AnnualReviewVisitsGuidance%2Epdff The Control of Patient Information Regulations made under section 60 are of general application. They do notoverride powers in paragraph 76 of Schedule 6 of the NHS (GMS Contracts) (Wales) Regulations or similarprovisions in the NHS (APMS) Directions 2004 to provide information in particular circumstances.

9. Although they are not explicitly covered by this Code, Annex A outlines the position

in relation to:

(i) Community Health Councils;

(ii) Healthcare Commission;

(iii) NHS Counter Fraud and Security Management Service (NHSCFSMS);

(iv) NHS Internal Audit;

(v) Social Services Departments;

(vi) National Patient Safety Agency (NPSA) - National Clinical Assessment

Service (NCAS); and,

(vii) Researchers.

General Principles

10. Patient information held by contractors is generally held under legal and ethical

obligations of confidentiality. Patients seeking treatment entrust sensitive information

to those who provide their healthcare. They do so in confidence, and have the

legitimate expectation that their privacy will be respected, and that their health records

will be used by the health service to support their healthcare. Information that can

identify individual patients must not be used or disclosed for purposes other than

healthcare without the individual’s explicit consent, or some other legal basis, such as

a robust public interest or legal justification for doing so.

11. However, the provision of care and treatment does require information to be shared

appropriately amongst those that provide that care. In addition, data (which will in

most cases be anonymised or aggregated) is required to support the wider functioning

of the NHS, including management of healthcare services. When LHBs require access

to information, they should explain to practices the precise purpose for which access is

required and who will gain access. Generally, patients who present for care are

assumed to consent to the required information sharing between clinicians for the

purposes of their individual healthcare needs. Ensuring that patients understand how

such information may be shared underpins this assumption and is therefore extremely

important. Where appropriate, clinical and non-clinical staff may need to discuss

consent issues with patients and check patient understanding. The General Medical

Council’s “Confidentiality: Protecting and Providing Information”, April 2004,

provides additional information (http://www.gmc-

uk.org/standards/confidentiality.htm).

12. Patient Information should only be held, used or shared appropriately and with good

reason. Where information identifies individuals, it is likely to be subject to Data

Protection Act provisions. Where those individuals are patients, there will be

obligations of confidentiality and privacy. Even where there are no apparent legal

restrictions on disclosing or permitting access to information, care should be taken to

ensure that its use will not result in detriment, whether to individuals, to practices or

the wider NHS, unless there is a robust public interest in disclosing information, or a

legal basis, such as a request under the Freedom of Information Act or disclosure in

accordance with Data Protection Act.

13. The standards and constraints that apply to the holding, using and sharing of

information are important components of Information Governance in the NHS. This

Code of Practice reflects Information Governance principles in relation to the

disclosure of, or access to, information. The key governance principles are that:-

(i) Contractors should provide a confidential and secure service for patients;

(ii) Information should only be disclosed or shared by contractors when it is lawful

to do so;

(iii) Information should be disclosed or otherwise shared by contractors on a “need

to know” basis;

(iv) Where LHBs need to obtain information from contractors, the minimum

necessary information should be determined and the disclosure limited

accordingly;

(v) Where, exceptionally, there is a need for LHBs to seek access to or to obtain

information beyond that generally required for their day to day business, and

where access to patient identifiable information is necessary (see paragraphs

29-31), the process of obtaining such information will be open to audit and

appropriate scrutiny – such as by the Welsh Assembly Government, NHS

auditors, or Caldicott Guardians;

(vi) Where data is required that identifies an individual patient, the patient’s

consent may be necessary, depending on the circumstances and purpose for

which the data is required (see paragraphs 29-31).

14. Even though sharing information for healthcare purposes will be

lawful within GMS or APMS practices, personal medical records should only be

accessed within practices on a “need to know” basis, for example, by:-

(i) GPs, who will usually have access to the complete clinical record;

(ii) Other health professionals involved in the care of patients, eg nurses and allied

health professionals employed by the contractor or other organisations such as

the LHB. In some situations, only a summary of clinical information may be

required that relates to a particular aspect of patient careg;

(iii) Contractor staff with responsibility for the management of patient records,

including security and the transfer and updating of records;

(iv) Health professionals employed by local authorities .

Providing a Secure & Confidential Service

15. This Code requires that all disclosures of information follow the principles of limiting

disclosure to the minimum necessary, keeping patients informed and seeking consent

where appropriate, disclosing information for defined purposes only, and only

permitting access to information on a need to know basis. This provides for a

procedural hierarchy, i.e.

(i) Where anonymised information will satisfy a purpose, disclosure should be

limited to anonymised information as far as is practicable;

(ii) Where anonymised information will not suffice or is impracticable, the

patient’s consent may be necessary, depending on the circumstances and g All qualified nurses are required to be registered with the Nursing Midwifery Council and are thereforerequired to abide by the Code of Professional Conduct, which includes protection of confidentiality of the patientor clinical record. Nurses are personally accountable for their own practices. Allied Health Professionals areregulated by similar requirements.

purpose for which the data is required (see paragraphs 29-31). Where such

consent is not sought or is not required, the reasons for disclosure must be

demonstrated and recorded, and there must be a clear audit trail, available for

scrutiny by bodies such as the Welsh Assembly Government, NHS Audit and

Caldicott Guardians - see paragraph 31).

16. The key elements of information governance that contractors should have regard to

are:

(i) Procedures should be in place to ensure that contractors, staff and volunteers

are aware of their responsibilities regarding confidentiality and security;

(ii) Employment contracts should include specific requirements relating to the

confidentiality of personal patient information, linked to disciplinary

procedures;

(iii) Patient information should be recorded accurately and consistently;

(iv) Patient information should be kept private;

(v) Patient information should be kept physically secure;

(vi) Information should only be used and disclosed with appropriate care;

(vii) Patients should be informed, in general terms, how their information may be

used, who will have access to it and the organisations it may be disclosed to.

17. Contractors are required by virtue of their Contract to nominate a person with

responsibility for practices and procedures relating to the confidentiality of personal

data held by the contractorh. This reflects an existing requirement that applies to all

other NHS bodies, where roles such as ‘Caldicott Guardian’ or ‘Caldicott Lead’ are

common. In primary care, this responsibility might be delegated to an appropriate

member of the practice, though clinicians will need to be involved where decisions

about the disclosure of confidential clinical information need to be made. Contractors

should also have regard to the need for security of personal data.

18. Contractors providing essential services must ensure that their Patient Information

Leaflet contains details of who has access to patient information (including

information from which the identity of the individuals can be ascertained) and the

patient’s rights in relation to the disclosure of such informationi . The leaflet should

refer to the possibility of anonymised or patient-identifiable information being

disclosed for the purpose of the provision of care and treatment and the management

of healthcare services within the NHS. Patients should also be informed of their rights

under the Data Protection Act, including any procedures for complaint or objection.

Contractors may also want their leaflet to identify who should be the point of contact

for those who have concerns about confidentiality issues. Practices may wish to refer

to this Code of Practice in their Leaflet, and where a copy can be obtained.

Anonymised or aggregated patient information

General

19. Wherever practicable, patient data disclosed for purposes other than the patient’s care

should be anonymised. Anonymised or statistical information is not confidential and

may be used with relatively few constraints. Anonymised information is information

that does not identify an individual. Anonymisation requires the removal of name,

address, full postcode, date of birth, NHS number and local patient identifiable codes,

and any other detail or combination of details that might support identification.

Aggregated information is statistical information, which, if care is taken with respect

to rare conditions etc, will also provide anonymity for patients.

20. In certain circumstances, contractors may need to anonymise patient records prior to

disclosure. It will usually be for the person passing on the data to ensure that it is

passed on in a non-identifiable form, wherever that is practical. LHBs and contractors

should aim to work together to develop the capacity to generate anonymised and

aggregated information. In particular, the upgrading of practice IT equipment will

provide opportunities to improve this capacity.

21. There are circumstances where it will not be practicable for anonymised information

to be generated in order to satisfy the purposes of third parties. This may be because

there is limited capacity to anonymise information by a contractor, or where the

h See paragraph 74 to Schedule 6 of the NHS (GMS Contracts) (Wales) Regulations 2004 i See paragraph 75 to Schedule 6 and Schedule 10 of the NHS (GMS Contracts) (Wales) Regulations 2004

contractor is unable to anonymise data with a reasonable degree of ease (for example

because it would involve substantial additional work, or because the purpose to be

satisfied requires examination of original records). Where any of these apply, care

must be taken to ensure that disclosure of information is lawful.

LHBs

22. LHBs require access to anonymised patient information for a range of purposes in

order to fulfil their statutory responsibilities to provide primary care services and

discharge their wider functions. Where LHBs require access, they should explain to

practices the precise purpose for which access is needed and who will gain access.

These circumstances include:-

(i) Strategic planning;

(ii) Financial management;

(iii) Public health;

(iv) Workforce planning;

(v) To check that payments under the Quality and Outcomes Framework (QOF)

are, or have been, accurate, complete and correct;

(vi) To carry out an annual review of the contractor’s performance, including

patient experience, against the QOF;

(vii) Clinical audit purposes;

(viii) Internal audit;

(ix) To deter, prevent and detect fraud;

(x) Where the LHB has concerns about a contractor’s compliance with its contract.

23. A person acting on behalf of the LHB, must, if requested, produce written

authorisation to the contractor in order to see or access information held by the

contractor.

Welsh Assembly Government

24. Anonymised or aggregated information may also be requested for certain purposes by

the Welsh Assembly Government.

25. Under paragraph 76 of Schedule 6 to the NHS (GMS Contracts) (Wales) Regulations

2004 or its APMS equivalent, a contractor is only required to provide information to

the LHB or a person authorised in writing by the LHB. There may be some occasions

where the information needs of the Welsh Assembly Government can be more

effectively met by asking a contractor directly for anonymised or aggregated

information. This may be, for example, where the Welsh Assembly Government, in

fulfilling its performance management function of a LHB, needs to clarify an aspect of

the LHB’s performance. Failure to comply with a request for information from the

Welsh Assembly Government will not be a breach of contract. However, in deciding

how to respond, contractors should bear in mind that the same request for information

may later be made by the LHB in accordance with the terms of the contract and this

Code.

26. This situation does not affect any separate contractual obligations that a contractor

might have to provide information to the Welsh Assembly Government, for example,

in relation to disputes on assignmentsj.

27. The Welsh Assembly Government may request information deriving from practices in

order to support the Welsh Assembly Government’s work. This data, such as the

Attribution Dataset (Annex B) for resource allocation, will usually be requested via

LHBs.

Confidential Patient Information

General

28. By definition, confidential patient information is that which can identify individual

patients and is information that was gathered in circumstances where it is reasonable

for the patient to expect his/her confidence to be respected.

LHBs

29. The circumstances in which the LHB, or persons authorised by the LHB, may need to

access and obtain information that identifies individual patients should be limited. A

decision to disclose such information to the LHB will be a matter for the contractor.

However, a contractor may risk being in breach of its contract if it refuses to produce

information which the LHB reasonably requires and which it has requested in

accordance with the relevant requirements of this Code. The circumstances in which,

in the view of the Welsh Assembly Government, patient identifiable information

would generally be reasonably required by the LHB and could lawfully be disclosed

by the practice would include:-

(i) where the practice is unable to anonymise data that is needed to support the

wider functioning of the NHS, including the management of healthcare

services, such as the QOF annual review process. For example, this may be

where the practice does not possess an IT system which can ensure complete

anonymisation, or where it is not practicable to anonymise paper records -

such as where this would require substantial additional work on the part of the

practice, or where the practice cannot guarantee to erase all identifying

information. The practice should make a judgement in the context of each

request for information as to whether or not anonymisation is practicable.

Where anonymisation is not practicable, data may be released to the LHB in

patient identifiable form (but see paragraph 31).

(ii) where the LHB is investigating and assuring the quality and provision of

clinical care - for example, in relation to a written complaint made by, or on

behalf of, a patient (whether living or dead);

(iii) where it is needed in relation to the management of the contract or agreement –

for example, where remedial action, or termination of the contract/agreement

is being considered (eg because of poor record keeping);

(iv) where the LHB considers there is a serious risk to patient health or safety;

(v) investigation of suspected fraud or any other potential criminal activity;

j See, for example, paragraph 36 of Schedule 6 to the NHS (GMS Contracts) (Wales)Regulations 2004.

30. In cases where patient identifiable information is required, it will, in some

circumstances, be necessary to obtain the consent of the individual concerned to

disclosure. This will depend upon the circumstances of the case. For example, consent

will not be necessary to comply with the Data Protection Act or common law duties of

confidentiality where the practice is unable to anonymise data and the LHB requires

access to data for

• checking legal entitlement to payments; or

• the management of healthcare services – provided that those accessing that

data are bound by a duty of confidentiality not to disclose information.

Where a LHB requires access to a particular patient record for the purposes of the

QOF and the practice can demonstrate that disclosure of that particular record would:

(a) be unlawful for a reason not relating to data protection or the common law

duty of confidentiality – e.g. because of a court order or another statutory

requirement;

(b) involve the disclosure of personal data relating to third parties without their

consent and which cannot be removed with a reasonable degree of ease; or

(c) a patient has explicitly requested non-disclosure of particularly sensitive

aspects of their records which cannot be removed from the material to be

disclosed with a reasonable degree of ease,

the practice should explain its reasons for non-disclosure to the LHB and ask the LHB

to select a different record. LHBs should normally accede to such requests, unless the

purpose for which the information is required would thereby be defeated. If this is the

case, the issue of consent to disclosure should be further considered.

31. Where the patient’s consent is not sought to identifiable information, the reasons why

must be documented, and there must be a clear audit trail. Where a practice is making

a disclosure on the basis that it is justified in the public interest (eg to prevent abuse or

serious harm to others) and that the public good which would be achieved by

disclosure outweighs the obligation of confidentiality to the individual patient

concerned, such a disclosure should be proportionate and limited to relevant details.

Contractors should be prepared to justify such disclosures to a court or regulatory

bodies.

Welsh Assembly Government

32. The Welsh Assembly Government may need to see patient-level data in certain

circumstances. For example, the Welsh Assembly Government is responsible for

resolving certain disputes under the GMS contract and APMS agreements, and may be

responsible for resolving patient complaints. Where the Welsh Assembly Government

needs to see patient-level data, data must be anonymised, unless there are exceptional

reasons why identifiable data is required – in which case, the patient’s consent should

be sought and obtained. Where, exceptionally, consent is not forthcoming, the

conditions described in paragraphs 29-31 apply equally to the Welsh Assembly

Government. Welsh Assembly Government staff must ensure that appropriate

information governance arrangements are in place to safeguard all the information

they hold.

33. It is not, in general, necessary for the Welsh Assembly Government to see individual

patient level data. However, the Assembly collates patient data at postcode level in

the Attribution Data Set (see Annex B). Whilst not containing readily identifiable

individual level data, it includes sufficient detail to allow data about individuals to be

deduced. The Assembly therefore has in place effective security and management

protocols to safeguard patient privacy during data processing. All of the outputs are of

aggregated data. The Assembly is involved in development work using the GP

practice code and data on deceased patients but all data is anonymised and then

aggregated.

Practice Level data

General

34. Contractors need to access their own practice-level data for specific purposes. This

includes data to assist planning, develop and evaluate the delivery of services, and to

measure delivery against national and local organisational and clinical benchmarks.

For contractors taking part in the national QOF, this data will be used to calculate

likely income, and so contribute to financial planning. Contractors may also wish to

share their quality data with other practices, or with the Local Medical Committee

(LMC).

LHBs

35. LHBs will need to see relevant QOF practice data in–year on a monthly basis to

enable them to oversee practice development, including expenditure against

projections. Such data will be available via Contract Manager, which will provide

monthly reports on each contractor’s performance against the QOF to the contractor’s

LHB. LHBs will also require access to end-year data– for example, for planning

purposes, and to confirm payments to be made to the contractor under the QOF.

36. In all cases, it will be necessary for the LHB to be able to identify, from practice-level

data, contractors within the LHB area. This will enable the LHB, as part of its

statutory functions, to identify where it may be necessary to request further

appropriate and relevant information from contractors, as well as enabling it to

identify any contractor which may be experiencing difficulties and to arrange for it to

receive appropriate support. It will not usually be necessary for in-year contractor

identifiable data to be disclosed outside the LHB unless the contractor agrees, there is

a robust public interest to do so, or it is covered by a formal publication scheme or is

otherwise in accordance with the law – for example under the Freedom of Information

Act.

37. LHBs and contractors will agree between them arrangements for the annual contract

review and visit, and the annual QOF review and visitk. Where practicable, both

reviews may be combined. Following either review, or as a result of issues which

arise in-year, the LHB may require additional information, possibly combined with

further visits by the LHB or a person or persons acting on its behalf.

k Paragraph 79 of Schedule 6 to the NHS (GMS Contracts) (Wales) Regulations 2004

Welsh Assembly Government

38. As part of their performance management responsibility, The Welsh Assembly

Government will need to see in–year data from different LHBs within the Regional

Office areas, in order to compare performance, monitor financial performance and

LHB management of the contract/agreements. Such data will be required on a

monthly basis. It will not usually be necessary for in-year contractor identifiable data

to identify individual contractors. However, LHBs may provide data to the Assembly

which identifies an individual contractor if that contractor agrees, or where, subject to

The Welsh Assembly Government will also need to see end-year practice-level data as

part of their performance management function. The provisions of the Data Protection

Act if applicable, there are circumstances such as a need to safeguard public health,

understand significant performance variations or respond to a request under the

Freedom of Information

Information about individual staff employed by or otherwise associated

with the practice

General

39. It is also important for contractors to consider the handling of personal data about their

staff. Handling of such data is covered by provisions in the Data Protection Act 1998

and the Human Rights Act 1998.

LHBs

40. LHBs may require data on staff employed by or associated with contractors for certain

purposes. These include – for workforce planning purposes, and where necessary, to

seek evidence that staff employed by contractors are suitably trained and qualified.

Welsh Assembly Government

41. The Welsh Assembly Government may require practice-level workforce information

to support the development of planning across their health economy and for statistical

purposes, e.g.: to-

(i) inform workforce planning policy;

(ii) form a realistic view on the size of the workforce, taking into account staff

who work in more than one place;

(iii) allow retention, recruitment and other flows to be measured.

42. Wherever possible, anonymised data will be used in accordance with the principles

outlined in paragraphs 19-21. As an example of access to such data, each year the

Welsh Assembly Government produces information on earnings and expenses of GPs.

Tax returns received by the Inland Revenue are used as the source of the data. To meet

19-21 confidentiality and disclosure obligations, the analysis is conducted by the

Inland Revenue. Once the analysis has been completed, the Inland Revenue provides

the Department with only aggregated results. Anything which could allow individual

GPs to be identified is withheld from the Department. Where, exceptionally, data

which could identify individuals is required, the Department will ensure that any

request for

43. Where data are collected for statistical purposes, they will not be used to inform

decisions relating to any individual. In addition, the individually identifiable data will

not be disclosed to any third party except in certain limited circumstances where the

Welsh Assembly Government, as data controller, has firm written assurances that the

data will be used only for statistical or research purposes, as defined in section 33 of

the Data Protection Act.

ANNEX A

Community Health Councils

CHCs monitor and evaluate the effectiveness of health services from the patients’ perspective

and will ensure that patient’s views are fed into local decision making processes. CHCs also

have a statutory duty to respond to consultations undertaken by LHBs and NHS Trusts on

substantial service changes. CHCs also have a statutory duty to provide advocacy support to

people who which to make a complaint about an NHS organisation in Wales. In carrying out

these functions, CHCs have a statutory right to request information and this information must

be provided subject to the limitations set out in the regulations.

Healthcare Inspectorate Wales (HIW)

HIW carries out reviews and investigations into the provision of healthcare by and for NHS

bodies under the Health and Social care (Community Health and Standards ) act 2003. HIW

has powers to require information, documentation and to interview persons and may in

exercising its functions require confidential, personal data and aggregated anonymised

information.

National Patient Safety Agency (NPSA) – National Clinical Assessment Service (NCAS)

The purpose of the NCAS is to protect patients by helping the NHS to address concerns about

doctors. The NCAS provides advice to Local Health Boards (LHBs) about local handling of

cases and about good local procedures for managing GPs whose performance gives cause for

concern. They also undertake assessments of a doctor’s performance to clarify concerns and

make recommendations for how concerns may be addressed. Where a doctor undergoes an

assessment by the NCAS the LHB will need to arrange for the casework manager to access a

sample of patient records for the purpose of examining the quality of the records kept by the

doctor, and the quality of care provided, as evidenced in the records.

NHS Counter Fraud and Security Management Service (NHS CFSMS)

The NHS CFSMS has responsibility for reducing NHS losses to fraud and corruption to an

absolute minimum. The NHS CFSMS regional team for Wales was established in 2001 to

prevent and detect fraud in the NHS in Wales. The team is assisted by a network of local

counter fraud specialists within NHS Trusts and the Business Services Centres established

under directions issued in 2001. LHBs also have responsibility for countering fraud in the

NHS. The NHS CFSMS has agreed a memorandum of understanding with relevant

professional bodies to facilitate access to information in the investigation of allegations of

fraud and corruption

Examples of the kind of information NHS CFSMS might request include non-clinical

individual patient data such as name and address, where there are grounds for believing that

claims have been made for a service not provided. Data is gathered to assist in exercises

carried out to assess the level of risk to NHS funds in a particular service area and to reassess

the impact on these levels of fraud after counter fraud measures have been introduced. Data

would also be sought to assist in investigation of alleged frauds against the NHS.

NHS Internal Audit

NHS internal auditors have powers through the NHS bodies' Standing Financial Instructions,

which provide them with access to all records, documents and correspondence relating to any

financial or other relevant transactions, including documents of a confidential nature.

They are required to provide assurances about the systems of internal control and may on

occasion require access to contractor and patient records in order to establish the validity of

claims, for example, in respect of minor surgery or diabetes clinics. The access to patient

records is likely to be infrequent and focused on areas of high risk where they have identified

control weaknesses.

Social Services Departments

It may sometimes be necessary to share confidential personal information with Social

Services Departments to protect children or other vulnerable individuals. In such cases,

contractors or other health professionals employed by them should provide relevant

information in a timely manner and should keep a record of the disclosure and the justification

in case of subsequent challenge or proceedings.

Research Purposes

The use of anonymised data is preferable for research purposes. Where systems that are

capable of providing anonymised data sets for researchers do not yet exist, the use of

identifiable patient information to support research may be appropriate and necessary but will

require explicit patient consent. If a patient cannot be contacted to obtain consent, it should

not be assumed that their medical details can be used for research purposes. Further

information about access to NHS records for research purposes can be found in Guidance

Notes to section 60 of the Health and Social Care Act 2001.

ATTRIBUTION DATA SET 2004 – DATA REQUIREMENT ANNEX B

Field Type Max.Charact

ers

Field Content

Q Code 3 Every patient Q Coded according to postcode. Where a postcode is not available, patients GPs responsible HA Q Code isutilised until the postcode is established.

PCG/LHB code 5 Every patient PCG/T coded according to GP, where available.Practice Identifier 6 GP National Code of Senior Partner (Partnership assumed to be broadly equivalent to Practice). (6 numerics)

Fringe Partnerships are to be extracted. ‘Ended’ GPs are to be allocated the Practice Identifier of the Senior Partner of the practice the GP was last associated with.

GP GNC Code 6 GP National Code of each GP.GNC Code of “ZZZ001” to be used for patients removed from previous GPs list at doctor’s request. GNC code of “ZZZ002” to be used for patients removed from previous GPs list at patient’s request. If GNC Code for a real GP cannot be ascertained, a GNC Code of “UNKNOW” will be utilised.

GP Status Code 1 Status of each as either GMS or PMS.“G” = GMS, “P” = PMS

Postcode 8 Valid postcode formats are: “AnbbbNAA”, “ANNbbNAA”, “AANbbNAA”, “AANNbNAA”, “ANAbbNAA” or“AANAbNAA”. For those patients without a postcode, a value of “UNKNOWN” will be utilised.

Sex code 1 “M”, “F”. Records with unknown sex to default to female. Counting and reporting of unknown sexes separately is notrequired.

Age Range Code 1 5 year age bands codes - A = “00”, B = “01-04”, C = “05-09”, D = “10-14”, E = “15-17”, F = “18-19”, G = “20-24”, H =“25-29”, I = “30-34”, J = “35-39”, K = “40-44”, L = “45-49”, M = “50-54”, N = “55-59”, O = “60-64”, P = “65-69”, Q =“70-74”, R = “75-79”, S = “80-84”, T = “85+”, U = “UNKNOWN”

Nursing/Residential Homemarker

1 Records whether the patient resides in a nursing/residential home or not. “Y” or null.

Patient Capitation 6 Count of the number of patients - as at April 2004 (dependent on the run date) – with a GP, with a postcode reportedby Age Range Code band within Sex Code. NOTE: the minimum number will be “1” ie zero entries will not beshown.